Home page logo
/

nanog logo nanog mailing list archives

Re: Worm probes
From: Iljitsch van Beijnum <iljitsch () muada com>
Date: Tue, 18 Sep 2001 19:36:27 +0200 (CEST)


On Tue, 18 Sep 2001, Joseph McDonald wrote:

Yes. We are seeing it here bigtime.  Does anyone have any apache hacks
to lessen the impact?  One idea:  Once a probe is sent, the prober's
IP# is stored in a hash (perhaps in shared memory or a mmap'd file
that all children can share) and new connections from that IP are no
longer accepted.

Or what about this: redirect your 404 to a PHP script with something like:

ErrorDocument 404 /404.php

and then let a script like this waste the attacker's time:

<?
  echo "404 This page is not available.\n";
  flush();
  sleep(150);
?>

This should slow the scanning and thus the waste of bandwidth and spread
rate of the infections down. At least, if the worm is single threaded.

Iljitsch van Beijnum


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault